King of Spam: Festi botnet analysis

We have just completed fresh analysis of the malicious software known as Win32/Festi. While the "Festi" botnet created with this malware has been in business since the autumn of 2009 we can see that the software is frequently updated, as described in our analysis, and these updates mean Festi continues to be a potent threat (Festi is detected by ESET as Win32/Rootki.Festi). You can download our whitepaper with the complete analysis here (.pdf). What follows are some of the highlights.

According to statistics from M86 Security Labs, Win32/Festi is one of the three most active spam botnets in the world. Thanks to plugin modules that we describe in our analysis Win32/Festi is also capable of being used for distributed denial of service (DDoS) attacks. The malware's kernel-mode driver implements backdoor functionality and is capable of:

Updating configuration data from the C&C (command and control server);

Downloading additional dedicated plugins.

As show in the diagram on the right, the Win32/Festi kernel-mode driver periodically contacts the C&C server and requests plugins and configuration information. The downloaded plugins perform the bot’s main tasks, such as sending spam.

In an interesting twist, these plugins are kernel-mode drivers which aren’t saved on any storage device in the system and are volatile in memory. Thus, when the infected computer is switched off or rebooted, which a victim might do if they sense something is wrong with their system, the plugins vanish from system memory. This makes forensic analysis of the malware significantly harder since the only file stored on the hard drive is the main kernel-mode driver, and this contains neither the payload nor information regarding which sites to attack or target with spam.

Each plugin is dedicated to performing certain kinds of work such as performing DDoS attacks against a specified network resource or sending spam. The plugins communicate with the main driver through a well-defined interface which we have documented in our white paper.

Another interesting aspect of Win32/Festi that we describe in our analysis is the malware's ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. To communicate with C&C servers and send spam and perform DDoS attacks, Win32/Festi relies on a TCP/IP stack implemented in Microsoft Windows OS in kernel-mode. However, the bot uses a custom implementation of the ZwCreateFile system service to send IRP requests directly to the transport driver.

Other evasive techniques that Win32/Festi employs include detecting whether it is running inside a VMware virtual machine and checking for the presence of a kernel debugger. We describe these in our detailed Win32/Festi analysis (.pdf).